From: Michael Chang <mchang@suse.com>
To: Robbie Harwood <rharwood@redhat.com>
Cc: Zhang Boyang <zhangboyang.id@gmail.com>,
grub-devel@gnu.org, steve@einval.com
Subject: Re: [RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files
Date: Wed, 7 Dec 2022 11:10:17 +0800 [thread overview]
Message-ID: <20221207031017.GA30466@mazu> (raw)
In-Reply-To: <jlgh6y8tsx6.fsf@redhat.com>
On Tue, Dec 06, 2022 at 11:09:57AM -0500, Robbie Harwood wrote:
> Zhang Boyang <zhangboyang.id@gmail.com> writes:
>
> > Since font files can be wrapped as PE images by grub-wrap, use shim to
> > verify font files if Secure Boot is enabled. To prevent other PE files
> > (e.g. kernel images) used as wrappers, it only allows files marked as
> > Windows GUI used as wrappers.
>
> Thanks for writing this; it's helpful to have something concrete to look
> at.
>
> This approach is very font-focused, and while I understand that given
> the discussion, I do still wonder if it wouldn't be better to make fonts
> an instance of modules. If fonts become instances of modules, and
> modules are wrapped into PE files, that not only seems cleaner but also
> gives us signed module support without baking those into the image.
Why not just making the PE wrap applicable to all file types, be it font
files, grub modules or even (static) initrd. Providing a solution to
sign arbitrary data or binary with this PE envelope sounds to me a very
attractive feature and worthwhile the extra miles. :)
Thanks,
Michael
>
> What do you think?
>
> Be well,
> --Robbie
next prev parent reply other threads:[~2022-12-07 3:15 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-12-05 13:06 [RFC PATCH 0/4] Wrap font files into PE files Zhang Boyang
2022-12-05 13:06 ` [RFC PATCH 1/4] util/grub-wrap: New tool to wrap a file as a PE image Zhang Boyang
2022-12-05 13:06 ` [RFC PATCH 2/4] kern/unwrap: File filter to unwrap files wrapped by grub-wrap Zhang Boyang
2022-12-05 13:06 ` [RFC PATCH 3/4] kern/efi/sb: Set requirements for PE images Zhang Boyang
2022-12-05 13:06 ` [RFC PATCH 4/4] kern/efi/sb: Use shim to verify font files Zhang Boyang
2022-12-06 16:09 ` Robbie Harwood
2022-12-06 16:18 ` Steve McIntyre
2022-12-07 3:10 ` Michael Chang [this message]
2022-12-07 3:47 ` Dimitri John Ledkov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221207031017.GA30466@mazu \
--to=mchang@suse.com \
--cc=grub-devel@gnu.org \
--cc=rharwood@redhat.com \
--cc=steve@einval.com \
--cc=zhangboyang.id@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.